DATA bill will not effectively help deal with the very real threat of ID theft

RE: Oppose H.R. 4127, Data Accountability and Trust Act (DATA)

2 November 2005

Subcommittee on Commerce, Trade, and Consumer Protection
Committee on Energy and Commerce
U.S. House of Representatives
Washington, DC 20510

Dear Representative:

We are writing on behalf of the members of the undersigned consumer and privacy advocacy groups to express our significant concerns about H.R. 4127, the Data Accountability and Trust Act (DATA Act). Unless this bill is very significantly amended, we do not believe it will effectively help Americans deal with the very real threat of identity theft.

We share the bill’s sponsors’ desire to move ahead on this important issue, and, in particular, commend the sponsors for including provisions regulating the activities of information brokers such as ChoicePoint and Lexis-Nexis. In addition, we appreciate the provision in the measure requiring that an entity that gives notice of a breach also provide, on request, quarterly credit reports at no cost to the consumer.

However, we believe the bill is seriously deficient in several important ways. H.R. 4127 would make it far too easy for companies to avoid notifying consumers when breaches of security occur. It also lacks strong enforcement provisions, and it would undermine data security protections already enjoyed by millions of Americans in many states. In fact, in the last year alone, at least 19 states have enacted data security bills, many of which have broader coverage than this bill. All of those stronger provisions would be eliminated if this bill becomes law.

Below are the key concerns the undersigned groups have identified with the DATA Act:

First, its so-called breach trigger for notice to individual consumers is nearly insurmountable. We doubt whether any of the breaches affecting over 50 million Americans in 2005 alone would have required notice had this bill been law. The bill requires a “reasonable basis to conclude that there is a significant risk of identity theft” before individual notice is required. Several problems arise with this “don’t know, don’t tell” construct:

• First, identity thieves often wait for months after a breach before striking, making it difficult for anyone to evaluate the risk to individuals until their identities are already stolen. Stolen data may also be sold to multiple people, putting individuals at greater risk.
• Second, if a risk assessment is inescapable, the “significant risk” of the present trigger is simply too high a threshold for notification. Individuals who are at some risk still need to be informed.
• Third, the trigger leaves companies off the hook from notification when they do not know whether individuals are at risk. At the very least, companies should have to notify individuals unless they make a written certification to a government agency that individuals are not at risk
• Fourth, a trigger that allows the breached entity to decide whether individuals are at risk will not work. The breached entity may have an incentive not to disclose the breach.
• Fifth, there are harms other than identity theft that could result from a breach of information, for example, stalking and domestic violence.
• Sixth, including a risk standard within the definition of “breach of security” undercuts the definition of a breach.

Second, while we further believe the bill should be amended to allow enforcement by aggrieved consumers, at a minimum, the bill should be modified so that it can be enforced by state Attorneys General, who have broad investigative resources and authority that can complement Federal Trade Commission enforcement.

Third, its information broker provisions can be strengthened in numerous ways, as we outlined in detail in materials provided to staff of both the majority and minority. For example, individuals who find errors in their data broker files are not able to correct those errors; instead, they can merely add a note to the file stating that the information is in dispute.

Finally, we oppose the bill’s preemption of stronger state laws. We oppose preemption in this bill because it cuts off innovation and gives thieves a “head start” in developing new ways to steal information and to defraud both consumers and creditors. States have been ahead of the federal government with respect to enacting consumer protection privacy laws in this information age. For example, we know about ChoicePoint and the myriad scandals that have followed because of California’s innovative notice laws, passed several years ago and now widely copied on other states.

As drafted, the preemption would do away with stronger state notice-of-breach laws. For example, California, Georgia, Illinois, Maine, Minnesota, Nevada, New York, North Dakota, Rhode Island, Tennessee, and Texas do not have a risk trigger or a risk exemption in their notice-of-breach laws. Indiana also has no risk trigger or exemption in its notice law, which applies only to government agencies.

Equally important, as we move further into the information age, hackers and identity thieves are sure to become more sophisticated, and laws may need to change quickly to catch up with the changing practices of sophisticated thieves. Because some states tend to act more quickly than the federal government, it is important not to preempt their ability to act to protect consumers.

In addition, while the bill is intended to cover only those entities reached by FTC jurisdiction, the preemption is not limited to those entities covered by the bill. Thus, section 6 could be read to preempt all state notice laws, even laws that cover entities not covered by the FTC regulations called for in the bill. These entities include financial institutions, common carriers, and state and local government entities.

Although we have appreciated the opportunity that you and your staff provided many of us to offer suggestions on how to proceed with this legislation, we are disappointed that the final bill, as introduced, appears to accept none of our suggestions. We believe that it would be wise to postpone this markup and instead hold a legislative hearing on the proposed bill with a wide variety of witnesses to explain the bill’s problems.

In addition, we note that 47 state and territorial Attorneys General have publicly expressed their very similar and detailed concerns about proposed data security bills pending in Congress, including H.R. 4127, in a letter to Congressional leadership, which the Attorneys General have also provided to the Committee.

If the markup is held, we urge strong support for any strengthening amendments to address the numerous problems we have identified and we urge your opposition to the bill if it is not significantly strengthened.

Please contact either Susanna Montezemolo of Consumers Union (202-462-6262) or Ed Mierzwinski of U.S. PIRG (202-546-9707) if you or your staff have any questions.

Sincerely yours,

Ed Mierzwinski
Director of Consumer Protection
U.S. Public Interest Research Groups